google-auth-library-java icon indicating copy to clipboard operation
google-auth-library-java copied to clipboard
verified publisher icon googleapis

Investigate using ServiceAccountJwtAccessCredentials vs ServiceAccountCredentials

Open lqiu96 opened this issue 1 year ago • 0 comments

Issue stemmed from b/354698601

ServiceAccountJwtAccessCredentials may be setting the incorrect audience (not the default audience that is passed in to the Credentials). It may be using the URI for the http request instead of the shortened URI.

For example, the audience from this sample: https://cloud.google.com/bigquery/docs/json-web-tokens#java_example is https://bigquery.googleapis.com/bigquery/v2/... instead of https://bigquery.googleapis.com/. Previous attempts to use the shortened URI resulted in downstream failures in Spring-Cloud-GCP and java samples(see comments in https://github.com/googleapis/google-auth-library-java/pull/572).

Our guidance is to use ServiceAccountCredentials with SSJWT whenever possible.

Scope

  1. Investigate the use cases of ServiceAccountJwtAccessCredentials
  2. Try to migrate any samples + recommendations of ServiceAccountJwtAccessCredentials to ServiceAccountCredentials with SSJWT
  3. Try to patch ServiceAccountJwtAccessCredentials to use the correct audience

edits: by @zhumin8 Minor corrections and provided more context links.

lqiu96 avatar Aug 07 '24 21:08 lqiu96